1. Field of the Invention
The application generally relates to a method for monitoring security in an automation network, in which a plurality of data processing devices are connected to one another for the purpose of data communication.
From the point of view of data processing, industrial automation networks include a data network and data processing devices that are connected to one another by the data network to communicate data. In order to make it possible to operate an industrial installation automated by the automation network from a remote station, for example, automation networks can be connected to a public network (e.g., the Internet), using a gateway. Various advantages when implementing modern automation networks result in the increased use of IT technologies such as Ethernet and the Internet Protocol (IP). However, this increases the security risks, as a result of unauthorized interventions in the respective automation network from the outside.
2. Related Art
The article “Ganzheitliches anlagenweites Security Management—Werkzeuge für die automatisierte Unterstützung” [Integral installation-wide security management—tools for automated assistance] by Anna Palmin, Stefan Runde and Pierre Kobes, published in atp, March 2012, pages 34 to 40, describes measures for improving security in industrial automation networks. One of the important measures within the scope of integral security management is the recording and evaluation of messages that are generated by various components of the automation network in the case of events and can possibly reveal an attack. A superordinate unit collects and evaluates the messages to discern from the reported individual events or a combination of a plurality of events whether an attack is actually taking place and possibly report this attack to a station so that suitable measures can be initiated in response to the discerned attack. This functionality is referred to as Security Event Management (SEM).
Another functionality relates to the generation of reports in order to demonstrate the compliance with guidelines. This is referred to as Security Information Management (SIM). If a unit combines the two functionalities mentioned, it is referred to as Security Information and Event Management (SIEM). A computing unit having a software tool that is used to implement SIEM in an automation network is presented as a security station in the above-mentioned article. The security station is structurally classified as a process control system (PCS). An operator station and the security station can run together on a personal computer (PC) or on two separate PCs. The security station may likewise be implemented in an already existing maintenance station. The security station is used to integrate the security management in the process control system and to allow it to run in parallel with the installation automation.
The existing views, for example the operational view and the maintenance view, are therefore supplemented with an additional integrated security view of the installation. In addition, the reporting and archiving system present in the automation network can be used to process the messages generated for security-relevant events. As an alternative to an integrated software tool, the security station can be implemented as a tool that is independent of specific products and has clearly defined interfaces. It can therefore be flexibly used in the context of PCS and SCADA (Supervisory Control and Data Acquisition) systems. The software tool of the security station is used to monitor security in the automation network, specifically by recording and evaluating messages that are generated by an operating unit (often referred to as an operator station), a programmable logic controller, a so-called controller, network components, such as routers, switches or gateways, or field devices, such as actuators or measuring transducers for pressure, temperature or flow rate.
The above mentioned devices are generally referred to herein as data processing devices or as event sources for short. Due to their corresponding preconfiguration, the data processing devices generate messages corresponding to security-relevant events in the case of the latter. Examples of security-relevant events include a detected failed attempt to log onto a PC, which is recorded in the Windows event log, or a detected unauthorized access to an IP address, which is warded off by a firewall and possibly recorded in a log file. The reported events are normalized in so-called connectors of the SIEM system. The normalization is generally implemented as mapping of individual parts or parameters to the data structure of the SIEM. In this case, prefabricated connectors for integrating Syslog-enabled and/or SNMP-enabled components such as switches, firewalls and routers and prefabricated connectors for integrating Windows components are present.
An SIEM system is generally configured in the engineering phase, that is to say when planning and starting up an automation installation. Configuration comprises, inter alia, connecting data processing devices, which are possible as sources for messages relating to security-relevant events, to an SIEM system using the corresponding connectors. In this case, the goal is for the SIEM system to avoid communicating with any sources of event messages that are unknown to it since this could impair the security monitoring reliability. It should likewise be ensured that, in the case of security-relevant events, corresponding messages are actually generated by the data processing device concerned.
The primary goal of an SIEM system used in an automation installation is to promptly detect and evaluate indications of attempted attacks or deviations from the normal state. The SIEM system is configured to make it possible to react to attempted attacks and abnormalities promptly and appropriately.